I’ve said it a lot over the last couple years, the legacy black-box Managed Security Services Provider (MSSP) model is dying a slow death. I wish I had a nickel for each time I heard someone say they are dissatisfied with their black-box MSSP. Truth of the mater is I don’t blame anyone, rather it’s just a change in times. I mean, really, even the horse and carriage gave away to the Ford Model T. Now the gas automobile engine is feeling pressure from the enhancement in electric motor development.
With all technology the barrier to entry gets reduced over the years. At first the technology is revolutionary and ground breaking, and over time new competitors find ways to compete for less money. It’s capitalism and competition at it’s finest.
The black box MSSP market is one market in the security space that is suffering from advancement in modern technology. Examples come in the form of Splunk, LogRhythm or other like solutions that give companies the ability to build their own MSSP or Security Operations Center (SOC) in house. The best analogy I can think of is the Splunk’s and LogRhythm’s of the world are replacing legacy MSSPs just like the PlayStation and Nintendo replaced the video game arcade. Security folks don’t need to “go out” for a security service they can build their own MSSP or SOC solution in house with the technology that’s freely available today.
The black-box MSSP market is dying the death of a 1000 cuts. There’s still value in the solution, but someone needs to change the client optics of the solution and try to regain the value. It’s an uphill battle though. Between new MSSP competitors coming to the space, a shifting threat landscape with makes threat intel obsolete in minutes, new technology entering the market, and competing sales reps pitching empty two-dimensional solutions like a cardboard saloon in an old western movie it’s becoming tough for these providers to compete. BUT, for some, they are the regular type of vendor and it keeps them in the fight.
The Pedigree of Partner Matters
Before you make a bad decision on your MSSP or security partner there’s a few things you need to know about the “players” in the security space. Just a side – this might be a forgone conclusion but I need to say it anyway–there’s value in using a security firm as your security partner.
- Accounting firms play in the MSSP space (trust me…it’s real, see the Big 4), and I say you’d never hire a security firm to do your taxes so why is an accounting firm qualified to do security?
- IT Service providers play in the MSSP space (this is also real), beside from being a massive conflict of interest, just because they run a mean help-desk operation doesn’t qualify them to hunt for emerging security threats or make them experts on command and control to name a few. Because you know about a laptop, doesn’t translate to servers, and doesn’t translate to networking, and definitely doesn’t translate to security of any of these things. Other words, an HVAC technician probably wouldn’t be a good car mechanic and a car mechanic probably isn’t good at repairing HVAC issues.
- Lastly if you work with a security firm make sure they have some security chops not just pitching 400 different security technologies that your sales rep learned about in a 30 minute on line training. Security engineering is a real discipline, and reading a sales brochure for 30 minutes doesn’t make you a security engineer.
But first and foremost, to understand what’s good and what’s bad you need understand the market a bit. So here it goes…
There are generally three types of MSSPs:
Black Box MSSP
I’ll spare the names of the common players in the space, but they’re the regular type of vendor. The model looks like this, they’ll give you a log aggregator or log forwarder that is installed at your company. This log aggregator sends your log files to a monitoring service, and you never see your logs again. If there’s an issue your MSSP will email you with the alert, but they won’t help you investigate if there is an issue. Which is an issue because they have your log files! If you need to investigate, that’s another team at that company and they charge you $500+/hr to look at your log files and do an “investigation”.
Grey Box MSSP
A grey box is usually a provider that will take custody of your log files and keep them stored at their facility for you. Usually these providers will give you access to your log files so you can view those files, they’ll likely send you a weekly status report, but you will be limited as to what you can do with your log files. There’s some buyer beware here, if a company is hosting your software license in a multi-tenant instance and they have your data, and you need to go a different route “deciding who gets the kids in the divorce can be tough.” I’ll give you an example, you buy a Splunk instance or a LogRythm instance and your security company hosts the license in a multi tenant fashion, be sure to get the terms of termination in your contract so there’s not surprises. There’s also this, these types and Black Box MSSPs are a cyber-crime target:
- https://www.cso.com.au/article/643350/managed-service-providers-new-target-cybercriminals/
- https://www.msspalert.com/cybersecurity-news/dhs-warning-msps-csps/
- https://www.us-cert.gov/ncas/alerts/TA18-276B
White Box MSSP (co-managed)
A white box MSSP is also considered a co-managed provider. This means you own the technology, you keep possession of your data, you can use your systems how you want supported by a security partner that will help you build your MSSP or SOC. Basically when your provider does their security investigation and hunting, they do it on your single tenant instance.
The advantages of this solution is many but the key benefits include:
- Ability to see and access when you want and how you want.
- All your data stays at your company.
- Your security partner can help build your security team through shadowing.
- You own the licensing, so if decide to start with an MSSP in this model when they roll off all the good work stays behind.
- You can track and inspect actions of your MSSP provider.
- If you operate a Capital Expenditure model your technology asset will have residual value.
If you are looking for an Managed Security Service Provider (MSSP) NuHarbor Security offers a best of breed white-box, co-managed, security offering that you can find here: https://nuharborsecurity.com/splunk-managed-services/